While deploying logging and authentication solution for a company, I came across a very interesting technology called TACACS + and Syslog. Though I have worked with Syslog previously but TACACS was a new protocol for me. Now, why suddenly someone would deploy these two protocols and also at the same time? Yes… you guessed it right – SECURITY was the main reason behind the deployment of these two.

First of all TACACS is an Authentication, Authorization and Accounting (AAA) server used for centralised authentication of users for device management unlike RADIUS servers used mainly for user authentication for wire and wireless network access.

Coming to the syslog portion, I can definitely say that all network admins must implement syslog server for better monitoring of their devices and take immediate action on any emergency incident. You won’t believe what I found after I enabled syslog for one of our cisco switch – NUMEROUS BRUTE-FORCE ATTACKS !!! Those attacks generated mainly from China and Hong Kong based IP Address. We all know that there are 7 types of facility. A facility is used to specify what type of program is logging the message. This lets the configuration file specify that messages from different facilities will be handled differently. The list of facilities available are:

Value

Severity

Keyword

Description / Examples

0

Emergency

emerg

Multiple apps/servers/sites. This level should not be used by applications.

1

Alert

alert

Should be corrected immediately, An example might be the loss of the primary ISP connection.

2

Critical

crit

May be used to indicate a failure in the system’s primary application.

3

Error

err

An application has exceeded it file storage limit and attempts to write are failing.

4

Warning

warning

May indicate that an error will occur if action is not taken, For example a non-root file system has only 2GB remaining .

Steps for enabling TACACS + Authentication in Cisco 7200 router:

1) Install Tacacs + Server as usual accepting license agreements and all,
2) When asked for password, give a password. [ex: cisco] This will be used for connecting clients to Tacacs + Server.
3) Click finish.
4) From run -> services.msc. Scroll down to Tacacs + service. It must be in started mode. If not, manually start it.
5) Then from start menu -> Tacacs.net -> Configuration. All the files related to Tacacs + configuration will be shown.
6) Right click on Tacplus.xml and select properties. Uncheck the “Read-Only” option. Click Apply -> Ok.
7) If you want to enable syslog server logging for Tacacs + then open tacplus.xml. Remove the comment mark <!–and –> from the line saying Syslog Host=”… and in host put IP of the Syslog Server.
Also, change <LocalIP> to your NIC’s IP as the Tacacs + Server will run on this interface. If you keep 127.0.0.1 then the router will not be able to authenticate with Tacacs + Server.
8) Now add a user in the authentication.xml file. Open authentication.xml and remove comments from User group and give desired username and password. Remember these users created exists only in the Tacacs Plus server.9) In the mean while you can see syslog messages appear in your syslog server console which indicates correct syslog configuration.